present version of l2tpconfig and openl2tpd with RPC enable (from openl2tpd-1.7) seems to be very unsecure for me. Even with network access by default in openl2tpd, there are no local permission checks, thus effectively any local user may do anything with running openl2tpd and its connections.

OpenL2TP was originally designed for use in closed systems (i.e. telecoms equipment) where RPC could be used to control several OpenL2TP instances on different line cards over a network within the chassis. The possibility of a malicious local user was ignored in the design.

bircoph wrote:

So, please, please, please! Implement at least a basic RPC access control like username/password. The better way is to engage PAM and the best way is to enable SSL/TLS support for network control. I know, I ask for a lot of work, but at least login/passwd RPC access control will do a great job.

This would be a great project. We don't have resources to put on it right now. If anyone is interested in working on it, please let us know.

You cannot post new topics in this forumYou cannot reply to topics in this forumYou cannot edit your posts in this forumYou cannot delete your posts in this forumYou cannot post attachments in this forum